Recently I have reviewed the newest version of Symantec NetBackup ™ Security and Encryption Guide and I realized that I have not met so often in my customer environment an important NetBackup security option: NBAC. Hmm, I can admit, I have seen twice this feature implemented...
The NetBackup Access Control (NBAC) is the role-based access control that is used for master servers, media servers, and clients. NBAC can be used in the following situations:
- Use a set of permissions for different levels of administrators for an application. A backup application can have operators (perhaps load and unload tapes).
- Separate administrators so that root permission to the system is not required to administer the system. You can then separate the administrators for the systems themselves from the ones who administer the applications.
NetBackup Access Control (NBAC) Components
There are following NBAC components:
-
Root broker - Authenticates the authentication broker. The root broker does not authenticate clients.
-
Authentication broker - Authenticates the master server, media server, GUI, and clients by establishing credentials with each one of them. The authentication broker also authenticates a user when operating a command prompt. There can be more than one authentication broker in a datacenter installation. The authentication broker can be combined with the root broker.
-
Authorization engine - Communicates with the master server and the media server to determine the permissions of an authenticated user. These permissions determine the functionality available to a given server. The authorization engine also stores user groups and permissions. Only one authorization engine is required in a datacenter installation. The authorization engine also communicates over the WAN to authorize other media servers in a multi-datacenter environment.
- GUI - Specifies a Remote Administration Console that receives credentials from the authentication brokers. The GUI then may use the credentials to gain access to functionality on the clients, media, and master servers.
The NetBackup Access Control (NBAC) offers you higher security and permission granularity but also more complexity of your backup environment. When you need to upgrade the NetBackup, you also have to follow additional steps to be able to do the upgrade successfully. Fortunately, installing and configuring NBAC is not difficult since NetBackup 7.x (configuring NBAC with NBU 6.x or older was a nightmare!).
Please follow the next post to configure NBAC on Master, Media and NetBackup clients.